Quick search
⌘+K
Quick search
⌘+K
Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 1 month ago
The use of biometric information, such as fingerprints and facial scans, has been on the rise in recent years in cybersecurity, marketing and other applications. However, concerns about the collection, storage and use of biometric information have also proliferated. As a result, federal regulatory agencies and state legislatures have enacted policies and laws to regulate biometric information, which is considered part of personal data privacy.
For instance, in 2023, the US Federal Trade Commission (FTC) published a biometric information policy statement warning that the use of consumers’ biometric information without consent raises significant concerns about consumer data security, privacy and potential discrimination and bias. Additionally, biometric data lawsuits against businesses have increased in the US. Many of these cases target tech giants and employers that have violated data privacy laws.
In response to the rising use of biometric data, many states have enacted laws to govern biometric data privacy, fueling data misuse lawsuits.
The first and arguably the most stringent of these laws is Illinois’s BIPA, which has been a hotbed for biometric data lawsuits since its enactment in 2008. This Act defines “biometric identifiers” as iris or retina scans, voiceprints, fingerprints or scans of face or hand geometry. “Biometric information” is defined as information based on biometric identifiers.
BIPA applies to all businesses operating in Illinois and governs the collection, storage, disclosure, transmission and deletion of biometric information. The act provides for a private right of action and statutory damages of $1,000 per negligent violation, and $5,000 per reckless or intentional violation.
Although Illinois is the only state with a comprehensive biometric privacy law, other states have enacted similar laws. For example, California has the California Privacy Rights Act (CPRA) and the California Consumer Privacy Rights Act (CCPRA), which protect personal data, including biometric information.
New York recently passed the New York Biometric Privacy Act, while Texas has a biometric identifiers act, the Texas Capture or Use of Biometric Identifier Act (CUBI). Several other states, including Massachusetts, Maryland, Arizona, Hawaii, Minnesota, Tennessee, Nevada, Connecticut, Maine, New Jersey, Montana, Kentucky, Pennsylvania and Missouri, have introduced similar biometric data protection legislation.
In a 2019 precedent-setting ruling, the Illinois Supreme Court ruled favouring the plaintiffs in Rosenbach v Six Flags Entertainment Corporation. The Court found that BIPA claims can proceed even if a violation does not cause actual damage to the claimant. In the court’s opinion, a claimant need not show some actual adverse effect or injury beyond violation of their right under BIPA.
The impact of this ruling was substantial. There were fewer BIPA lawsuits between 2009 and 2018, around five cases on average. This number has grown to at least 130 biometric privacy cases every year since Rosenbach v Six Flags Entertainment Corporation.
In 2023, the Illinois Supreme Court issued other precedent-setting rulings that substantially evolved the BIPA litigation landscape. In Cothron v White Castle System, Inc., the Court held that BIPA claims accrue whenever data is illegally collected or disclosed. This clarified the interpretation of “per violation” to mean that, for instance, if employees use biometrics to sign in at work for each shift, a distinct violation occurs every time an employee signs in and their data is collected.
In Tims v Black Horse Carriers, Inc., the Court held that the statute of limitation for filing BIPA claims is five years instead of one year, as claimed by the defendants. Further, in Mosby v Ingall, the state Supreme Court considered healthcare exemptions under BIPA and determined that these exemptions apply to both patients and employees.
Tech giants are notorious for collecting and misusing user biometric data, a practice that has put them under scrutiny and attracted class action suits and huge settlements.
In July 2024, Meta agreed to a $1.4 billion settlement with Texas in a data privacy lawsuit where the state claimed that the tech giant had used biometric data without consent.
The plaintiff alleged that Meta violated the Texas Capture of Use of Biometric Identifier Act (CUBI), which prohibits collecting and selling Texans’ biometric information, such as fingerprints and face scans, without agreement.
The settlement is the largest secured by any single state, and it came three years after a similar suit where the company, formerly known as Facebook, was slapped with a $650 settlement in Illinois in 2021.
In 2022, TikTok’s parent company ByteDance Ltd. agreed to settle a class action biometric data lawsuit for $92 million. The company faced 21 separate class action cases filed in Illinois and California. These cases were merged into one complaint alleging that TikTok collected an array of users’ private data, including biometric information, and used it to profile and track users for purposes of ad targeting and profiting without consent. The plaintiffs further alleged that data belonging to US users was being sent to China, where it is subject to collection by the Chinese government.
The plaintiffs challenged these practices, citing numerous data privacy laws, including BIPA. The settlement agreement contained terms requiring TikTok to cease collecting and storing users’ biometric information in violation of applicable laws. The tech giant also agreed to stop transmitting US users’ data overseas, and to delete all pre-uploaded user-generated content collected from unposted or unsaved content.
In 2024, the US District Court for the Northern District of Illinois ruled against TikTok, finding that new lawsuits claiming the tech company violated BIPA are not covered by its 2022 settlement.
As the BIPA litigation landscape broadens, employment-related biometric data lawsuits have increased. This rise is partly due to the precedent-setting rulings in Tims v Black Horse Carriers, Inc. regarding BPA’s statute of limitation, and Cothron v White Castle System Inc. on claim accrual.
This category of data privacy lawsuits is emerging from the use of biometric technologies at workplaces, especially the adoption of AI-powered software that recognises facial geometry and voice patterns. As employers broaden the scope of biometric data they collect, BIPA is being tested as a tool to combat workplace surveillance.
Source: Bloomberg Law
References:
For more Latest Insight in Legal World Follow Us! Global law Experts News
Author
Kevin Gikonyo is a Kenyan lawyer with a Bachelor of Laws degree from the University of Nairobi School of Law.
Kevin serves as a legal journalist at Global Law Experts, where he delivers insightful and analytical reporting on emerging global legal trends and developments.
posted 2 days ago
Find the right Legal Expert for your business
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
